Working with Site-to-Site VPNs

Site-to-site VPNs allow sites in different locations to securely communicate with each other over a Layer-3 network such as the Internet. You can use managed device instead of VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrators to connect the sites. You can also use a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator at one site and a managed device at the other site.

Mobility Master supports the following IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. SA Security Association. SA is the establishment of shared security attributes between two network entities to support secure communication. authentication methods for site-to-site VPNs:

Preshared key: The same IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. shared secret must be configured on both the local and remote sites.

The management MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  address of the Mobility Master should be added as the peer MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  address in the managed device to establish the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard./IPSEC tunnel with the Mobility Master.For more information on configuring the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address for MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -based PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access.  authentication, see the Configuring MAC Address for PSK Authenticationsection.

Suite-B cryptographic algorithms: Managed devices support Suite-B cryptographic algorithms when the Advanced Cryptography license is installed. For more information, see Understanding Suite-B Encryption Licensing.

Digital certificates: You can configure an RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. or ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. server certificate and a CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate for each site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map configuration. If you use certificate-based authentication, the peer must be identified by its certificate subject name, distinguished name (for deployments using IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. ), or by the peer’s IP address (for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.). For more information about importing server and CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificates into Mobility Master, see Management Access.

 

Certificate-based authentication is only supported for site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. between two managed devices with static IP addresses. IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. site-to-site tunnels cannot be created between a Mobility Master and managed device.

Enable IP compression in an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map to reduce the size of data frames transmitted over a site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. between 7200 Series or 7000 Series managed devices using IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. authentication. IP compression can reduce the time required to transmit the frame across the network. When this hardware-based compression feature is enabled, the quality of unencrypted traffic (such as Lync or Voice traffic) is not compromised by increased latency or decreased throughput. IP compression is disabled by default.

 

This feature is only supported in an IPv4 network using IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. . This feature cannot be enabled on a 7205 managed device or on a site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. established using IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409..

Configuring MAC Address for PSK Authentication

On Mobility Master, you can configure the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the managed device to be used for PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication. The following procedure describes how to configure the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the managed device for PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Controllers.

2. Click + under Local Controller IPSec Keys table.

3. Select Mac-based PSK from the Authentication drop-down list.

4. Enter the Mac address.

5. Enter the IPSec key.

6. Retype the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. key.

7. Click Submit.

8. Click Pending Changes.

9. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the managed device for PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication:

(host) [mynode] (config) #local-peer-mac 00:0c:29:00:00:00 ipsec 123456

You can configure the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -based PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access.  authentication on the managed device.

Working with Third-Party Devices

Managed Devices can use IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. or IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. to establish a site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with another managed device or third-party remote client devices. Devices running Microsoft® Windows 2008 can use Suite-B cryptographic algorithms and IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. to support authentication using RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. or ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.. StrongSwan® 4.3 devices can use IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. to support authentication using RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. or ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. certificates, Suite-B cryptographic algorithms, and pre-shared keys. These two remote clients are tested to work with managed devices using Suite-B cryptographic algorithm.

Working with Site-to-Site VPNs with Dynamic IP Addresses

ArubaOS supports site-to-site VPNs with two statically addressed managed devices, or with one static and one dynamically addressed managed device. Two methods are supported to enable dynamically addressed peers:

Pre-shared Key Authentication with IKE Aggressive Mode: The managed device with a dynamic IP address must be configured as the initiator of IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPNs, while the managed device with a static IP address must be configured as the responder of IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive mode. Note that when the managed device is operating in FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode, IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. aggressive mode must be disabled.

X.509 certificates:IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. peers will identify each other using the subject name of X.509 X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. certificates. IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. operates in main mode when this option is selected. This method is preferred from a security standpoint.

Understanding VPN Topologies

You must configure VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. settings on the managed devices at both the local and remote sites. In the following figure, a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel connects Network A to Network B across the Internet.

Figure 1  Site-to-Site VPN Configuration Components

 

Click to view a larger size.

To configure the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel on managed device A, you must configure the following:

The source network (Network A)

The destination network (Network B)

The VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on which managed device A’s interface to the Layer-3 network is located (Interface A in Figure 1)

The peer gateway Gateway is a network node that allows traffic to flow in and out of the network., which is the IP address of managed device B’s interface to the Layer-3 network (Interface B in Figure 1)

 

Configure VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. settings on the managed device at both the local and remote sites.

Configuring Site-to-Site VPNs

The following procedure describes how to configure a site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab and expand Site to Site .

2. In the IPsec Maps section, click + to open the Create New IPsec section.

3. Enter a name for this VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connection in the Name field.

4. Select the Enabled check box so this configuration takes effect as soon as it is saved.

5. In the Priority field, enter a priority level for the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map. Negotiation requests for security associations try to match the highest-priority map first. If that map does not match, the negotiation request continues down the list to the next-highest priority map until a match is made.

6. Select a Source network type to specify whether the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. source, the local network connected to the managed device, is defined by an IP address or a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID.

If you selected IP Address, enter the IP address and netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the source network (see managed device A in Figure 1).

If you selected VLAN, click the VLAN drop-down list and select the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID for the source network.

7. In the Destination network and Destination subnet mask fields, enter the IP address and netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the destination, the remote network to which the local network communicates (see managed device B in Figure 1).

8. The SA Lifetime parameter defines the lifetime of the security association in seconds and kilobytes. For seconds, the default value is 7200. To change this value, enter a value between 300 and 86400 seconds. Range: 1000–1000000000  kilobytes.

9. Click the IKE version drop-down list and select v1 to configure the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409., or v2 for IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. .

10. (Optional) Click the IKE policy drop-down list and select a predefined or custom IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy to apply to the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map. For more information on default IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policies, see Table 1.

11. IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. site-to-site VPNs between Mobility Master and 7000 Series managed devices support traffic compression between those devices. Select the IP compression check box to enable compression for traffic in the site-to-site tunnel.

12. Select the Factory certificate authentication check box to enable the authentication.

13. Select the VLAN containing the interface of the managed device that connects to the Layer-3 network (see Interface A in Figure 1).

This determines the source IP address used to initiate IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard..

14. If you enable PFS mode, new session keys are not derived from previously used session keys. Therefore, if a key is compromised, that compromised key does not affect any previous session keys. PFS Perfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys. mode is disabled by default. To enable this feature, click the PFS drop-down list and select one of the following Perfect Forward Secrecy modes:

group1: 768-bit Diffie–Hellman prime modulus group

group2: 1024-bit Diffie–Hellman prime modulus group

group14: 2048-bit Diffie–Hellman prime modulus group

group19: 256-bit random Diffie–Hellman ECP modulus group

group20: 384-bit random Diffie–Hellman ECP modulus group

15. Select the Pre-connect check box to establish the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connection, even if there is no traffic being sent from the local network. If you do not select this, the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connection is established only when traffic is sent from the local network to the remote network.

16. Select the Trusted tunnel check box if traffic between the networks is trusted. If you do not select this, traffic between the networks is untrusted.

 

Ensure that you always enable the Trusted tunnel option. The traffic cannot pass through if this option is disabled.

17. Select the Enforce NAT-T check box to enforce UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. 4500 for IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. and IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.. This option is disabled by default.

18. Add one or more transform sets to be used by the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map. Click +, and select an existing transform set or create a new one. Then click Submit to add that transform set to the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map.

19. For site-to-site VPNs with dynamically addressed peers, select Dynamic from the Remote peer addressing drop-down list.

a. From the Peer gateway drop-down list, select Initiator if the dynamically addressed switch is the initiator of IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPNs, or select Responder if the dynamically addressed switch is the responder for IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode.

b. In the FQDN field, enter a FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. for the managed device. If the managed device is defined as a dynamically addressed responder, you can select All Peers to make the managed device a responder for all VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. peers, or select Per Peer Id and specify the FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. to make the managed device a responder for one specific initiator.

20. For Remote peer addressing that is Static, select one of the supported peer gateway Gateway is a network node that allows traffic to flow in and out of the network. types:

IP Address: Select this option to identify the remote end point of the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel using an IP address.

FQDN : This option allows you to use same FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. across different branches. The FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. resolves to different IP addresses for each branch, based on its local DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. setting.

21. Define the Peer Gateway Gateway is a network node that allows traffic to flow in and out of the network. using an IP address or FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet..

If you use IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. to establish a site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for a statically addressed remote peer and selected IP Address in the previous step, enter the IP address of the interface used by the remote peer to connect to the L3 network in the Peer gateway IPv4 or v6 field (see Interface B in Figure 1).

If you are configuring an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map for a dynamically addressed remote peer, and selected IP Address in the previous step, leave the Peer gateway IPv4 or v6 set to its default value of 0.0.0.0.

If you selected FQDN as the peer gateway Gateway is a network node that allows traffic to flow in and out of the network. type in the previous step, enter the fully qualified domain name for the remote peer.

22. Select one of the following authentication types:

a. For PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication, select PSK, select the Representation type, then enter a shared secret in the IKE shared secret and Retype shared secret fields. This authentication type is generally required in IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. maps for a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with dynamically addressed peers, but can also be used for a static site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two..

b. For certificate authentication, select Certificate, then click the Server certificate and CA certificate drop-down lists to select certificates previously imported into the managed device. See Management Access for more information. Enter the Peer certificate subject name.

 

To identify the subject name of a peer certificate, issue the following command in the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:
show crypto-local pki servercert <certname> subject

23. Click Submit.

24. Click Pending Changes.

25. In the Pending Changes window, select the check box and click Deploy changes.

26. Click the IKEv1 or IKEv2 section (match the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. version that you selected in Step 9) to configure an IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy.

a. Under IKE Policies, click + to open the Add IKE Policy configuration page.

b. Set the Priority to 1 for this configuration to take priority over the Default setting.

c. Select the Enable policy check box so the configuration takes effect as soon as it is saved.

d. Set the Encryption from the drop-down list.

e. Set the HASH algorithm from the drop-down list.

f. Set the Authentication to pre-share if you use pre-shared keys. If you use certificate-based IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard., select rsa or ecdsa.

g. Set the Diffie-Hellman group from the drop-down list.

h. Set the Lifetime to define the lifetime of the security association in seconds. The default value is 28800 seconds. To change this value, enter a value between 300 and 86400 seconds.

i. The IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy selections, including any PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. , must be reflected in the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client configuration. When using a third-party VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client, set the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. configuration on clients to match the choices made above. If you use the Aruba dialer, you must configure the dialer prior to downloading the dialer onto the local client.

j. Click Submit.

k. Click Pending Changes.

l. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with two static IP managed devices using IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.:

(host) [mynode] (config) #crypto-local ipsec-map <ipsec-map-name> <ipsec-map-number>

src-net <ipaddr> <mask>

dst-net <ipsec-map-dst-net> <ipsec-map-dst-mask>

peer-ip <ipaddr>

vlan <ipsec-map-vlan-id>

version {v1|v2}

peer-cert-dn <peer-dn>

pre-connect {enable|disable}

trusted enable

 

The trusted <disable> sub-parameter is not supported on the managed device. You must always use the trusted <enable> sub-parameter so that the traffic can pass through.

For certificate authentication:

set ca-certificate <cacert-name>

set server-certificate <cert-name>

 

(host) [mynode] (config) #crypto isakmp policy <priority>

encryption {3DES|AES128|AES192|AES256|DES}

version {v1|v2}

authentication {pre-share|rsa-sig|ecdsa-256|ecdsa-384}}

group {1|2|14|19|20}

hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}

lifetime <seconds>

For PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication:

(host) [mynode] (config) #crypto-local isakmp {key <keystring>|key-hex <keystring>}

address <peer-address> netmask <mask>

 

(host) [mynode] (config) #crypto isakmp policy <priority>

encryption {3DES|AES128|AES192|AES256|DES}

version {v1|v2}

authentication {pre-share|rsa-sig|ecdsa-256|ecdsa-384}}

group {1|2|14|19|20}

hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}

lifetime <seconds>

To configure site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with a static and dynamically addressed managed device that initiates IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.:

(host) [mynode] (config) #crypto-local ipsec-map <ipsec-map-name> <ipsec-map-number>

src-net <ipaddr> <mask>

dst-net <ipsec-map-dst-net> <ipsec-map-dst-mask>

peer-ip <ipaddr>

local-fqdn <local_id_fqdn>

vlan <ipsec-map-vlan-id>

pre-connect {enable|disable}

trusted enable

For the Pre-shared-key:

(host) [mynode] (config) #crypto-local isakmp {key <keystring>|key-hex <keystring>}

address <peer-address> netmask 255.255.255.255

For a static IP managed device that responds to IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.:

(host) [mynode] (config) #crypto-local ipsec-map <ipsec-map-name 2> <ipsec-map-number>

src-net <ipaddr> <mask>

dst-net <ipsec-map-dst-net> <ipsec-map-dst-mask>

peer-ip 0.0.0.0

peer-fqdn fqdn-id <peer_id_fqdn>

vlan <ipsec-map-vlan-id>

trusted enable

For the Pre-shared-key:

(host) [mynode] (config) #crypto-local isakmp {key <keystring>|key-hex <keystring>}

fqdn <ike-id-fqdn>

For a static IP managed device that responds to IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with one PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. for All FQDNs:

(host) [mynode] (config) #crypto-local ipsec-map <ipsec-map-name 2> <ipsec-map-number>

src-net <ipaddr> <mask>

peer-ip 0.0.0.0

peer-fqdn any-fqdn

vlan <ipsec-map-vlan-id>

trusted enable

For the Pre-shared-key for All FQDNs:

(host) [mynode] (config) #crypto-local isakmp {key <keystring>|key-hex <keystring>}

fqdn-any

Supporting Null Encryption for IKEv1

Starting from ArubaOS 8.1.0.0, XLP-based controllers are supported with null encryption for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. as an encryption algorithm. This helps in reducing the load on the local router for internet destined traffic.

Null encryption does not increase the security of traffic routed but is used only to imply that no encryption method is used over a particular transmission. Null Encryption can now be configured as an encryption algorithm in transform set, which can be used in any crypto map.

 

Since null encryption is supported only for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409., it should be used only for crypto maps with version 1.

The following procedure describes how to configure a new transformation set with null encryption as the encryption algorithm:

1. In the Managed Network node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Expand IKEv1.

3. In the IKEv1 IPSec Dynamic Maps table, click + to access the Add IKEv1 Dynamic Map section.

4. Click + in the Transforms field.

5. Select the Add new transform option in the New Transform window.

6. Select esp-null from the Encryption drop-down list.

7. Click Submit.

8. Click Pending Changes.

9. In the Pending Changes window, select the check box and click Deploy changes.

The following procedure describes how to add the transformation set in the crypto map created:

1. In the Managed Network node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Click Site to Site accordion.

3. In the IPSec Maps table, click + to access the Create New Ipsec section.

4. Click + in the Transforms field.

5. Select the Add existing transform option in the New Transform window.

6. Select an existing transform and click OK.

7. Click Submit.

8. Click Pending Changes.

9. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures a new transformation set with null encryption as the encryption algorithm:

(host) [mynode] (config) #crypto ipsec transform-set test esp-null esp-sha-hmac

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands add the transformation set in the crypto map created:

(host) [mynode] (config) #crypto-local ipsec-map test_map 500

(host) [mynode] (config-ipsec-map) #set transform-set test

Adding ANY-ANY Crypto Map

Starting from ArubaOS 8.1.0.0, any-any selectors are negotiated in IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. to enable the option of having numerous tunnels. After pre-connect flag is enabled for IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map, IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. triggers the tunnel to the peer ip and proposes any-any traffic selector.

PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. can also be configured to send specific or all traffic on to the ipsec map and can be applied to any vlan Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., port, or user role.

 

Policy Based Routing is required for any-any traffic selector and is supported only for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409..

Data traffic trigger is not supported in ArubaOS 8.1.0.0.

The following procedure describes how to enable crypto map to allow any any traffic selector:

1. In the Managed Network node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Click Site to Site accordion.

3. In the IPSec Maps table, click + to access the Create New Ipsec section.

4. Enter a Name.

5. Select Any from the Source network type drop-down list.

6. Select Any from the Destination network type drop-down list.

7. Click Submit.

8. Click Pending Changes.

9. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable crypto map to allow any any traffic selector:

(host) [mynode] (config-ipsec-map)# src-net any

(host) [mynode] (config-ipsec-map)# dst-net any

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. to send all or specific traffic onto the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map:

(host) [mynode] (config) #ip access-list route ipsec-pbr

(host) [mynode] (config-route-ipsec-pbr)#any any any route ipsec-map <ipsec-map-name>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands apply PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. to vlan Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., port, or user role:

(host) [mynode] (config) #interface vlan <id>

(host) [mynode] (config-subif) #ip access-group <name> in

Dead Peer Detection

DPD Dead Peer Detection. A method used by the network devices to detect the availability of the peer devices. is enabled by default on the managed device for site-to-site VPNs. DPD Dead Peer Detection. A method used by the network devices to detect the availability of the peer devices. , as described in RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3706, “A Traffic-Based Method of Detecting Dead IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Peers,” uses IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. traffic patterns to minimize the number of IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. messages required to determine the liveliness of an IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. peer.

After a dead peer is detected, the managed device tears down the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. session. Once the network path or other failure condition has been corrected, a new IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. session is automatically re-established.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures DPD Dead Peer Detection. A method used by the network devices to detect the availability of the peer devices. parameters:

(host) [mynode] (config) #crypto-local isakmp dpd idle-timeout <idle_sec> retry-timeout <retry_sec> retry-attempts <retry_number>

About Default IKE Policies

ArubaOS includes the following default IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policies. These policies are predefined, but can be edited and deleted. You can do this in the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. by using the crypto isakmp policy and crypto dynamic-map commands, or the WebUI by navigating to Configuration > Services > VPN. To delete an IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy, select an existing policy and click the trash icon to delete the policy.

Table 1: Default IKE Policy Settings

Policy Name

Policy

Number

IKE Version

Encryption Algorithm

Hash Algorithm

Authen-
tication Method

PRF Method

Diffie-Hellman Group

Default protection suite

10001

IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

3DES Triple Data Encryption Standard. 3DES is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block.-168

SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 160

Pre-Shared Key

N/A

2 (1024 bit)

Default RAP Certificate protection suite

10002

IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. -256

SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 160

RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. Signature

N/A

2 (1024 bit)

Default RAP PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. protection suite

10003

IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. -256

SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 160

Pre-Shared Key

 

N/A

2 (1024 bit)

Default RAP IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. protection suite

1004

IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. -256

SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 160

RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. Signature

hmac-sha1

 

2 (1024 bit)

Default Cluster PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. protection suite

10005

IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. -256

SHA160

Pre-Shared Key

Pre-Shared Key

2 (1024 bit)

Default IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. protection suite

1006

IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. - 128

SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 96

RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. Signature

hmac-sha1

2 (1024 bit)

Default IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. protection suite

10007

IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. - 128

 

SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 96

Pre-shared key

 

hmac-sha1

2 (1024 bit)

Default Suite-B 128bit ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. protection suite

10008

IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. - 128

SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 256-128

ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-256 Signature

 

hmac-sha2-256

 

Random ECP Group (256 bit)

Default Suite-B 256 bit ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. protection suite

10009

IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. -256

SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 384-192

ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-384 Signature

 

hmac-sha2-384

 

Random ECP Group (384 bit)

Default Suite-B 128bit IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. protection suite

10010

IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM-128

SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 256-128

 

ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-256 Signature

 

hmac-sha2-256

 

Random ECP Group (256 bit)

Default Suite-B 256‑bit IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. protection suite

10011

IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM-256

SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 256-128

 

ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-256 Signature

 

hmac-sha2-256

 

Random ECP Group (256 bit)